-
Notifications
You must be signed in to change notification settings - Fork 288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
need to add an option to avoid scan the Internet ips #2940
Comments
this one should get implemented in my opinion, since i am getting abuse messages from my service provider, just like that message above in OP |
########################################################################## Netscan detected from host XXXXX########################################################################## time protocol src_ip src_port dest_ip dest_portSat May 16 12:06:19 2020 TCP 78.46.249.71 9000 => 10.0.0.2 9000 |
please make sure that packages with private subnets as destination do not leave your external interface as those addresses are not allowed to be routed on the Internet. Here is a brief list of all private sub nets: -----------------%<----------------- https://tools.ietf.org/html/rfc1918 https://tools.ietf.org/html/rfc6598 https://tools.ietf.org/html/rfc3927 -----------------%<----------------- 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10 169.254.0.0/16 -----------------%<----------------- the providers seem to get fed up slowly with these netscans, they happen only on restarts it seems and theyre random |
the netscan happens upon node.sh restart, manual or before via OOB. It then scans a bunch of private subnets as seen above. It does not happen everytime a node is restarted though. currently only hetzner seem to track this closely enough, but if they can see it then other providers might too and start closing down people's instances. I would advise a quick resolve of this one. I quickly glanced at node.sh and i actually dont see much that could cause it there, so there is a possibility this derives from any other file, lib, or harmony binary? |
This is likely another node runner's On my own personal (not work) machines I firewall all RFC 1918 traffic. I can't do that on our nodes since they actually are NATed and those IPs are valid. This is really really rude on node operator's part because they're advertising IPs that could actually be valid but are pointing to a different machine. |
Also got hit from Hetzner for this exact issue. Would love to see a fix deployed soon. |
Is there an update on this issue? @sophoah |
Any update? |
fyi, this has been addressed: 947c6ef |
Problem/limitation At Hand
We've got a message from our FN partner, that he was received a warning from the IDC operator as follows:
Which component?
Proposed Solution
need to add an option like --no-private-ipv4 to avoid scan the Internet ips
Additional Context
can refer to the PR from polkadot
The text was updated successfully, but these errors were encountered: